b'                                                                                        Report No. AUD-08-001\n                                                                                                 October 2007\n                                   FDIC\xe2\x80\x99s IT Disaster Recovery Capability\n                                   Results of Audit\n\n                                   The FDIC has established and implemented an IT disaster recovery\n                                   capability that is consistent with federal standards and guidelines and\nBackground and Objective           industry-accepted practices. Among other things, the FDIC has\nof the Audit                       established an alternate processing site and developed written plans to\n                                   recover its general support systems and mission-critical applications\nThe Office of Management           following a disaster. In April 2007, the FDIC\xe2\x80\x99s Division of Information\nand Budget has issued policy       Technology (DIT) conducted a test of its IT disaster recovery capability\nrequiring federal agencies to      and successfully recovered its general support systems and mission-critical\nestablish and periodically test    applications. DIT issued a report on the results of its IT disaster recovery\ntheir ability to recover from      testing, including the issues it identified during the testing and associated\ninformation technology (IT)        solutions, to improve future recovery responsiveness and reliability.\nservice interruptions. In\naddition, the National Institute   These accomplishments are positive. However, our audit identified the\nof Standards and Technology        following areas needing enhancements to further assure that information\n(NIST) has developed security      security controls are in place in the event of a disaster.\nstandards and guidelines to\nassist agencies in restoring           \xe2\x80\xa2   The FDIC\xe2\x80\x99s corporate contingency planning policy does not reflect\ntheir information systems                  the FDIC\xe2\x80\x99s current IT disaster recovery practices or recent NIST\nfollowing a disruption or                  guidance.\nfailure. Further, organizations\ncan consider adopting a                \xe2\x80\xa2   Security patches were not installed on certain servers in the FDIC\xe2\x80\x99s\nnumber of industry-accepted                alternative processing site.\npractices related to IT disaster\nrecovery.                              \xe2\x80\xa2   DIT had not documented or tested its strategy for recovering key\n                                           security services designed to protect the FDIC\xe2\x80\x99s alternate\nKey to achieving the FDIC\xe2\x80\x99s                processing capability during a disaster.\nbusiness goals and objectives\nis having a reliable recovery      Our report also identifies opportunities for DIT to enhance its IT disaster\ncapability for the                 recovery performance metrics. We discussed these opportunities with DIT\nCorporation\xe2\x80\x99s critical IT          officials during our audit.\nsystems and applications.\n                                   Recommendations and Management Response\nThe objective of the audit was\nto determine whether the           We recommended that FDIC management (1) update the FDIC\xe2\x80\x99s corporate\nFDIC has established and           contingency policy; (2) take steps to ensure that security patches are\nimplemented an IT disaster         installed on disaster recovery servers in a timely manner; and (3) document\nrecovery capability consistent     and test, as appropriate, DIT\xe2\x80\x99s strategy for recovering key security\nwith federal standards and         services. In general, management concurred with our recommendations\nguidelines and industry-           and is taking responsive corrective action.\naccepted practices.\n                                   Because the report addresses issues associated with information security,\n                                   we do not intend to make public release of the specific contents of the\n                                   report.\n\x0c'